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Abstract. This paper considers systems for Traffic Analysis Prevention 
(TAP) in a theoretical model. It considers TAP based on padding and 
rerouting of messages and describes the effects each has on the difference 
between the actual and the observed traffic matrix (TM). The paper 
introduces an entropy-based approach to the amount of uncertainty a 
global passive adversary has in determining the actual TM, or alterna- 
tively, the probability that the actual TM has a property of interest. 
Unlike previous work, the focus is on determining the overall amount 
of anonymity a TAP system can provide, or the amount it can provide 
for a given cost in padding and rerouting, rather than on the amount of 
protection afforded particular communications. 


1 Introduction 

Previous attempts to gauge anonymity provided by an anonymous communica- 
tion system have been focused on the extent to which the actions of some entity 
are protected by that system. For example, how well protected is the anonymity 
of the sender of an arbitrary message, or its recipient, or the connection of sender 
and recipient, etc. [11,18]. Various ways to measure such protection have been 
proposed from the classic anonymity set to cryptographic techniques [12], prob- 
abilistic measures [14], and information theoretic measures [3,15]. 

The focus of this work is a bit different from all of those. Rather than examine 
how well protected the actions of a particular agent (or pair of agents) are, we will 
examine how much protection a system provides to all its users collectively. Put 
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too succinctly, previous work has focused on how well the system distributes 
available anonymity, while we focus on the amount of anonymity there is to 
distribute. 

We consider a system of N nodes wanting to send (a large number of) end to 
end encrypted messages to one another over an underlying network 1 . These N 
sender nodes cooperate to try to prevent the adversary from performing traffic 
analysis by using padding and rerouting. While fielded Traffic Analysis Preven- 
tion (TAP) systems are likely to be limited in their ability to so cooperate, 
padding and rerouting are commonly proposed means to counter traffic analysis 
[1, 2, 13, 19]. Yet, there has been no theoretical analysis of how much protection 
is possible using padding and rerouting techniques. Our model allows assessment 
of upper bounds on what any system can accomplish by such means. 

Our central means to examine anonymous communication is the traffic ma- 
trix (TM), which represents all end-to-end message flows. One can examine the 
difference between observed traffic matrices and the traffic matrix of an ideal 
system to determine how much an adversary might gain from observing the sys- 
tem. Alternatively, the difference between observations on a protected system 
and an unprotected system can be examined to determine the amount of pro- 
tection afforded. Traffic matrices allow us to measure the communication costs 
of TAP methods, which gives us a potential means of comparing the costs and 
benefits of various TAP methods and systems. 

This paper uses an information-theoretic, entropy-based approach to measur- 
ing the success of a TAP system, much as Shannon used entropy to measure the 
success of a cryptosystem [16]. The goal of the group of nodes sending messages 
to one another is to make the number of possible traffic matrices (TMs) large 
enough and the probability that the actual TM is determined from what is ob- 
served low enough that the observations are essentially useless to the adversary. 
If the adversary has no a priori means of excluding any particular TM (which 
may depend on the measurement interval and the expectations of traffic), then 
the possible TMs are not just all TMs that are dominated by the observed TM, 
but all that have a rerouted TM that is dominated by the observed TM. These 
terms will be made precise in subsection 2.2. 

Previous methods of TAP have either used rerouting or padding or both (in 
addition to padding messages to a constant length and payload encryption) to 
achieve TAP. In general, the effects of these controls are to 

a. increase the total amount of traffic; 

b. increase the cryptographic processing load on the involved nodes; 

c. mask the true source and destination of individual messages; 

d. make the number of possible true traffic patterns very large. 

While traditional link encryption and padding to the link speed at the link 
level is perfect at concealing the true traffic patterns, it has many deficiencies. 
It requires that all routers in the network participate and remain secure, and 
that all are willing to saturate their links with apparent traffic, whether or not 
there is actual traffic to send. The more efficient “Neutral TM” approach used by 

The network graph is not necessarily complete. 
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Newman- Wolfe and Venkatraman [8, 21] still increases traffic to around twice its 
original level, depending on the spatial traffic distribution [9,20]. Onion routing 
[10, 5, 19] increases traffic greatly as well, by routing a packet through several 
(usually at least five) onion routers. One might expect this to increase the ag- 
gregate traffic by the number of onion routers the packet traverses (i.e., make 
the total load five times higher in this case). 2 

This paper considers the information that is available in the static, spatial 
traffic information to a global passive adversary when transport level padding 
and rerouting are employed. 


2 Adversary Model 

As in much previous work, we assume a global passive adversary who can observe 
all traffic on all links between all nodes, that is all senders, receivers, and any 
intermediate relay points the system may contain. 

Since she observes all message flows, the global passive adversary is very 
strong, perhaps stronger than any likely real adversary. On the other hand she 
mounts no active attacks, which makes her weaker than many likely real adver- 
saries. However, our concern is to first describe means to determine a bound on 
anonymity capacity of a system even if that bound is not likely to be reached in 
practice. 

Since we are only addressing TAP, we assume no one can track redirected 
messages through an intermediate node by recognizing its format or appearance. 
Similarly, no one is able to distinguish padding messages from ‘genuine’ traffic. 
Of course, a node that is a redirection intermediary knows which incoming mes- 
sage correlates with which outgoing message, and nodes that generate and/or 
eliminate padding can recognize it locally. 

Our adversary is thus best thought of as having a traffic counter on all 
the wires between nodes. The units of traffic may be generically described as 
messages. If necessary, traffic may also be measured in bits. The rate at which 
these counters are checked governs the granularity of the picture of traffic flows 
that the adversary has. The degree of synchronization on those link clocks (i.e., 
whatever governs the frequency at which each link is checked), will also determine 
the granularity of the causal picture that the adversary has. For example, an 
adversary may be able to recognize or dismiss possible message redirections by 
observing the relative timing of flows into and out of a node. However, for the 
purposes of these initial investigations, we will consider the period of observation 
to be sufficient for all actual traffic, as well as dummy messages and rerouted 
actual traffic, to be delivered and counted. 

Note that there is some degree of noise or uncertainty due to the nature of 
measurement of traffic — it is not instantaneous but must be measured over 
some period of observation (window) . Both the size of the window and the win- 
dow alignment will affect the measurements and their variation. This argues for 

2 The actual load increase depends on the underlying network and the routes taken. 
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decreased resolution in the measured values (e.g., the difference between 68,273 
packets and 67,542 packets may be considered to be below the noise threshold 
in the measured system; likewise, byte count numbers may also only be of use 
up to two or three digits) . Study of the levels of “noise” in the measured system 
and “noise” in the measurement methods is needed to make a valid estimate of 
the appropriate level of resolution for the measurements. This paper assumes 
such considerations out of the model. 

2.1 Network and Adversary Assumptions 

For purposes of this paper, we make a number of assumptions. 

— All nodes may send, receive, or forward traffic. Thus, we do not differenti- 
ate between senders, receivers, and virtual network elements. This is most 
typically true of a peer-to-peer system; however, this could also reflect com- 
munication within an anonomizing network where the outside connections 
are either invisible or ignored. 

— All links (directed edges) have a constant fixed-bound capacity (in messages 
that can be sent in some unit of time). The number of messages that can 
be passed over any (simplex) network link is the same. Any padding or 
redirection a node passes over a link will reduce the number of messages it 
can initiate over that link. 

— All link traffic counters are checked once (simultaneously). 

This last assumption means that we do not capture any timing information or 
causal connections between message flows. Even with this simplifying assumption 
there is more than enough complexity in the network traffic information for 
an initial investigation. Further, as we have noted, a primary purpose of this 
work is to set out means to describe the anonymity capacity of a network. This 
assumption allows us to consider the temporally coarsest adversary of our model. 
Any temporal information that a finer adversary could use will only serve to lower 
such a bound. While such a coarse-grained adversary is inherently interesting 
and may even be realistic for some settings, obviously the study of an adversary 
that can take advantage of timing information is ultimately important. Such 
refinement of assumptions is possible within our general model, and we leave 
such questions for future work. 

2.2 Definitions 

Now we define some terms. 

Traffic Matrix (TM) An N x N non-negative integer matrix T in which cell 
T[i, j] holds the number of messages sent from node i to node j in the period 
of observation. The diagonal entries are all zero. 

Domination One traffic matrix T dominates another traffic matrix T' iff Vi, j £ 
[l..N]T[i,j] > T'[i,j]. 
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Neutral TM A traffic matrix in which all of the non-diagonal values are equal. 
The unit neutral TM is the neutral TM in which all the non-diagonal values 
are ones. The magnitude of a neutral TM is the constant by which the unit 
TM must be multiplied to equal the neutral TM of interest. 

Actual TM, T act The end-to-end traffic matrix, neither including dummy mes- 
sages nor apparent traffic arising from rerouting through intermediate nodes; 
the true amount of information required to flow among the principals in the 
period of observation. 

Observed TM, T a j, s The traffic matrix that results from treating all and only 
observed flows on links as reflecting genuine traffic, i.e. , all padding is treated 
as genuine traffic and redirection is treated as multiple genuine one hop 
messages. 

Routes, flow assignments If the actual traffic matrix specifies that T[i,j\ 
messages must be sent from node i to node j in a period of time, then 
these messages must be routed from node i to node j either directly or in- 
directly. A route from node i to node j is a path in the network topology 
graph starting at node i and ending at node j. A flow assignment specifies 
for each path used to send messages from node i to node j how many of the 
messages are delivered using that path. 

Link Load The load on a (simplex) link is the sum of the number of messages 
delivered by the flow assignments over paths that include that link. For a flow 
assignment to be feasible, the load on a link must not exceed its capacity. 

Total Traffic Load Total traffic load in an N x N traffic matrix T is 

L{T)= Y, T M 


where [1..7V] is the set of integers between 1 and N, inclusive. That is, the 
total (or aggregate) load is just the sum of the link loads. 

Feasible TM These TMs are the only ones for which there are corresponding 
routes with flow assignments for which the combined flows on a given link 
in the graph do not exceed its capacity. 

3 Observations 

First, we notice that, depending upon T 0 b s , there are limits to what the true 
traffic matrix can be, no matter what the TAP techniques might be used. For 
example, if a node A in T 0 f> s has a total incoming flow of fm,T obs (A), 

N 

fin,T ob M) = E T ^M]’ 

i—1 

then the total incoming flow for the same node A in T act is bounded by that 
same total, that is, 

fin,T act (A) < fin,T obs (A). 
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This is true because the observed incoming flow includes all of the traffic destined 
for A , as well as any dummy packets or redirected messages for which A is the 
intermediate node. For similar reasons, the outgoing flow of any node A in T act 
is bounded by the observed outgoing flow in A. 

The topology (graph connectivity) of the network and the link capacities 
limit the possible traffic matrices that can be realized. As noted, feasible TMs are 
the only ones for which there are corresponding routes with flow assignments for 
which the combined flows on a given link in the graph do not exceed its capacity. 
Based on the limitations of the network, the set of possible traffic matrices is 
therefore finite (if we consider integer number of packets sent over a period of 
observation). Define the set of possible traffic matrices for a network represented 
by a directed graph G =< V, E > with positive integer edge 3 weights w : E — > N 
to be 

r T<G,u;> = {T | T is feasible in < G, w >} 

The graphs we consider are cliques, but a node A may be able to send more data 
to node B than the link directly from A to B can carry, by sending some of the 
messages through an intermediate node. 

Beyond the limits of the network itself, our adversary is able to observe all 
of the traffic on the links, and from observations over some period of time, form 
an observed traffic matrix, T 0 i, s . As previously noted, since any traffic matrix T 
reflects the end-to-end traffic between nodes, T 0 f, s can be thought of as reflecting 
the pretense that there are no messages sent indirectly, i.e. , all messages arrive 
in one hop. The observed traffic matrix further limits the set of actual traffic 
matrices possible, as they must be able to produce the observed traffic matrix 
after modifications performed by the TAP system. For example, it is not feasible 
for the total traffic in the actual TM to exceed the total traffic in the observed 
TM. 

Let the set of traffic matrices compatible with an observed TM, T 0 b s be 
defined as 


Tx obe — {T | T could produce T a b s by TAP methods} 

Note that Tt o6s C T < g jU)> , since the observed traffic matrix must be feasible, 
and that TactiTobs s T ^T obs - 

We now describe the affect of TAP methods in determining Tj^. Further 
details on the TAP transforms themselves are presented in section 6. A unit 
padding transform reflects adding a single padding message on a single link and 
results in incrementing, by one, the value of exactly one cell of a traffic matrix. 
A unit rerouting transform reflects redirecting a single message via a single other 
node. So, rerouting one unit of traffic from A to B via C causes the traffic from 
A to B to decrease by one unit, and the traffic from A to C and from C to B 

3 Edge weights can be considered the number of packets or the number of bytes that 
a link can transfer over the period of observations. We can also consider node ca- 
pacities, which could represent the packet switching capacity of each node, but for 
now consider this to be infinite and therefore not a limitation. 
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each to increase by one unit. This causes the traffic in the new TM to remain 
constant for A’s row and for P’ s column, but to increase by one unit for C s 
column and C s row (C now receives and sends one more unit of traffic than 
before). The total load therefore increases by one unit also (two unit increases 
and one unit decrease for a net of one unit increase — we replaced one message 
with two). 

We say that a traffic matrix T is P-derivable from traffic matrix T' iff T is 
the result of zero or more unit padding transforms on T' . We say that a traffic 
matrix T is k — P-derivable from traffic matrix T' iff T is the result of exactly 
k unit padding transforms on T' . This is true iff Vi,j T'\i,j] < T[i,j\ and 

L{T) = L(T') + k 

Note that the set of P-derivable traffic matrices from some TM T is the union 
for k = 0 to L(T) of the sets of k — P-derivable TMs relative to T. 

We say that a traffic matrix T is P-derivable from another traffic matrix 
T' iff T is the result of zero or more unit rerouting transforms on T' . We say 
that a traffic matrix T is k — P-derivable from another traffic matrix T' iff T is 
the result of exactly k unit rerouting transforms on T' . The set of P-derivable 
traffic matrices from some TM T is the union for k = 0 to L(T) of the sets of 
k — P-derivable TMs relative to T. 

We say that a traffic matrix T is P, P-derivable from another traffic matrix 
T' iff T is the result of zero or more unit padding or rerouting transforms on T' . 
We say that a traffic matrix T is k — P, P-derivable from another traffic matrix 
T' iff T is the result of exactly k unit padding or rerouting transforms on T' . 
The set of P, P-derivable traffic matrices from some TM T is the union for k = 0 
to L(T) of the sets of k — P, P-derivable TMs relative to T. 

In general, padding and rerouting transformations may be described as addi- 
tion of specific unit transformation matrices to a given TM. This will be explored 
further in section 6. Note that, in most cases, padding and rerouting operations 
commute. 4 


4 Problem Statement 

This section defines the problems considered. In this model, the “sender” consists 
of all of the N nodes listed in the traffic matrix, which cooperate to try to disguise 
an actual traffic matrix T act by performing TAP operations to produce the traffic 
matrix T 0 b s observed by the global, passive adversary. This aggregate sender 
must deliver all of the messages required by T act in the period of observation, 
and we assume there is sufficient time to do this. 


4 If a padding message may then be rerouted, then padding first offers more options 
for the subsequent rerouting. We do not consider this useful, and limit rerouting to 
actual traffic. 
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4.1 Sender 


The aggregate sender is given the actual TM, T act , and must produce the set 
of TAP transformations on it to create the observed TM, T obs . The sender may 
be under some cost constraints (in which case the goal is to create the greatest 
amount of uncertainty in the adversary possible within the given budget), or may 
be required to create an observed TM, T obs , that meets some goal of obfuscation 
(at a minimum cost). 


4.2 Adversary 

The adversary may ask generically the following question, “Is T act £ T*?,” where 
T* C T <( 3 jW> is some set of TMs of interest to the adversary. Note that T* may 
be a singleton, which means that the adversary has some particular TM in which 
he has interest, and through a series of such questions, the adversary can attempt 
to determine the actual TM, T act , exactly. More often, the adversary may not 
care about some of the communicating pairs, and may not even care about the 
detailed transmission rates between the pairs of interest. 

In general, the property T* can be given as the union of sets of the form 


n = {T \a id ,k < T[i,j } < 0ij, k Vi, j = 1,2,..., iV} , 

i.e., a range set, in which the values of the cells of the TM are constrained to lie 
within some range. So 

T* = (J T* k . 

k 

Observe that the set of these range sets is closed under set intersection, that is, 
the intersection of two range sets results in another range set. 5 

It may be more apropos to rephrase the question as, “What is the probability 
that the actual TM has the property of interest, given the observed TM,” i.e., 
Pr{T act £ T* | T 0 bs), since under most circumstances, whether or not T act is in 
T* cannot be known with certainty. 

Pr{T act £ T* | T obs ) = Y, Pr (T\T obs ) . 

TeT* 


Absent a priori information to give one possible TM (i.e., one consistent with 
the observations), a greater likelihood of having been the actual TM, we can 
give all those TMs consistent with the observed TM equal weight, so that 


Pr(T\T obs ) = — 

1 1 T ob . 


This is the maximum entropy result, with 


Pr{T act £ T* | T obs ) 


n T*| 
I t t 0 J 


5 These kinds of properties may be of interest to adversaries exercising a network 
covert channel. 



Adversary possession of a priori information may reduce anonymity in two 
ways. 

1. She may limit T T obs further by using knowledge about this instance of T act 6 , 
e.g. “At least one of the nodes did not send any real traffic.” Such constraints 
on Tt o6s may be expressed by using the same techniques as we used to express 
matrices of interest, T*. 

2. She may alter relative probabilities of the TMs within T?^ (which leads 
to submaximal entropy). Examples of this include the adversary possessing 
a probability distribution over the total amount of traffic in T act or the 
total cost which the sender is prepared to to incur to disguise the actual 
traffic matrices (see Section 5.2). Indeed, the adversary may even possess a 
probability distribution over the T act that she expects will occur. 

So, in the end, it is not necessary to make the observed traffic matrix, T 0 b s , 
neutral; it is enough to disguise T act so that the adversary’s knowledge of its 
properties of interest are sufficiently uncertain. 

5 Traffic Analysis Prevention Metrics 

This section considers the degree to which the sender can make the adversary 
uncertain regarding the nature of T act . First, it considers the costs of performing 
TAP operations, then considers the strategies the sender may have, and the 
effects of these on the adversary’s knowledge. Finally, the effects of a priori 
knowledge by the adversary are evaluated. 

5.1 Cost Metrics 

Rerouting and padding are not free operations. Unit padding adds one more 
message from some source to some destination in the period (increasing exactly 
that cell by one unit and no others). Unit rerouting from node A to node B via 
node C decreases the traffic from A to B by one unit, but increases the traffic 
from A to C and from C to B , without changing any other cells. Hence in both 
cases, in this model, they increase the total load by one unit of traffic. 

The simplest cost metric for disguising traffic is just the change in the total 
traffic load from the actual to the observed TM. Let T) and T\ \ be two traffic 
matrices, and define the distance between them to be 

d(Ti,T 2 ) = |L(T 1 )-L(T 2 )| 

In the simplest case, the cost is just the distance as defined above. In general, 
the cost may be non-linear in the distance, and may be different for padding 
than for rerouting 7 . For the remainder of this paper, we will only consider the 
simple case. 

6 We can then estimate the amount of information that the observations give to the 
adversary in terms of the relative entropy from the knowledge to the observations. 

1 Padding and rerouting costs may not be the same if node computation is consid- 
ered. It may be much easier for a node that receives a dummy message to decode 
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5.2 Sender Strategies 


Making changes to the actual traffic matrix by rerouting and padding will in- 
crease the total traffic load in the system, and the sender may not wish to incur 
large costs. Sender strategies may be thought of in two factors. The first factor 
is whether a neutral traffic matrix is sent every period, or whether a non-neutral 
observed traffic matrix is acceptable. The second factor is whether or not the 
sender adapts the costs it is willing to incur to the actual traffic it must send. 
These are not unrelated, as is explained below. 

If the observed traffic matrix is always made neutral, then the sender must 
use a total load sufficient to handle the peak amount of traffic expected (modulo 
traffic shaping 8 ), and must alway reroute and pad to that level. Often, the total 
traffic load of the observed traffic matrix will be many times larger than the 
total traffic load of the actual traffic matrix, and the sender will just have to 
live with these costs. The advantage of this is that the adversary never learns 
anything; the traffic always appears to be uniform and the rates never vary. 

If the set of actual TMs to be sent is known to the sender in advance, then 
an adaptive strategy may be used to minimize the total cost. The “peaks” in the 
actual TMs are flattened using rerouting. Then the maximum matrix cell value 
over all of the TMs resulting from rerouting is chosen as the amplitude of the 
neutral TMs to send for that sequence. 

Mechanisms for dynamically handling changing load requirements are con- 
sidered in Venkatraman and Newman- Wolfe [21]. Here, the sender may change 
the uniform level in the neutral traffic matrix, adjusting it higher when there 
are more data to send and lower when there are fewer. This will reduce the 
costs for disguising the actual traffic patterns. However, the sender should avoid 
making frequent adjustments of small granularity in order to avoid providing 
the adversary with too much information about the total actual load 9 . 

If non-neutral traffic matrices are acceptable, the sender can either set a cost 
target and try to maximize the adversary’s uncertainty, or can set an uncertainty 
target and try to minimize the cost of reaching it. Regardless, the goal is to keep 
the amortized cost of sufficiently disguising the actual TMs reasonable. In the 
former case, a non-adaptive strategy can be employed, in the sense that the 
cost will not depend on the actual traffic matrix. If the sender always uses the 
same cost for each period, and the adversary knows this cost, then this severely 
reduces the entropy for the adversary. Here, the adversary need only consider 


the encrypted header and determine that the remainder of the message is to be dis- 
carded than it is for the node to decrypt and reencrypt the message body, create an 
appropriate TAP header and network header, then form the forwarded message and 
send it on the the true destination. 

s In traditional networking, traffic shaping is a form of flow control that is intended 
to reduce the burstiness and unpredictability of the traffic that the sources inject 
into the network so as to increase efficiency and QOS [6, 4, 17]. In TAP networks it 
is used to hide traffic flow information [1]. 

9 A “Pump”-type [7] approach may be taken to lessen the leaked information. 
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the intersection of a hypersphere and T T obs - That is, the adversary knows that 
Tact € {T £ \d(T, T 0 b s ) = c}, 

where c is the cost (known to the adversary) that the sender incurs each period. 

A better non-adaptive strategy is to pick a distribution for the costs for 
each period, then generate random costs from that distribution. Once a cost is 
picked, then the entropy associated with the observed TM (with respect to the 
properties of interest, if these are known by the sender) can be maximized. The 
adversary then has to consider the intersection of a ball with Tr obs rather than 
a hypersplrere. In this fashion, the mean cost per period can be estimated, and 
yet the adversary has greater uncertainty about the possible actual TMs that 
lead to the observations. 

When the total traffic is very low, the sender may be willing to incur a 
greater cost to pad the traffic to an acceptably high level, and when the actual 
TM already has a high entropy (for the adversary), then it may be that no 
adjustments to it need to be made (e.g., when it is already a neutral TM with a 
reasonably high total traffic load). If the cost the sender is willing to incur can 
depend on the actual traffic, then the sender can set a goal of some minimum 
threshold of uncertainty on the part of the adversary as measured by the entropy 
of the observed traffic matrix, then try to achieve that entropy with minimum 
cost. If the sender has to live within a budget, then some average cost per period 
may be set as a goal, and the sender can try to maximize entropy within this 
average cost constraint. Here, there may be two variants: 

— Offline: the sender knows what the traffic is going to be for many periods 
ahead of time, and can pick a cost for each period that balances the entropy 
that can be achieved for each period within its cost; 

— Online: the sender only knows the amortized cost goal and the history of 
traffic and costs up until the current time. 

In the offline case, the sender can achieve greater entropy if most of the actual 
TMs in the sequence have high entropy to begin with, or avoid having some 
observed TMs at the end of the sequence with low entropy because the budget 
was exhausted too early in the sequence. 

Online computation will suffer from these possibilities, but the goals can be 
changed dynamically given the history and remaining budget, if there is any 
reason to believe that the future actual TMs can be predicted from the recent 
past TMs. 


5.3 Sender and Adversary Knowledge 

In the strongest case, the sender may know the sequence of T act (i)’s, or at least 
the set (but not the order) ahead of time and be able to plan how to disguise 
that particular set of actual TMs. A weaker assumption is that the sender knows 
the probability distribution for the actual TMs (or for properties they possess) 
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ahead of time, and the actual sequence is close to this (defined by some error 
metric) . 

What the adversary sees, and what the adversary knows, a priori, determine 
what the adversary learns from a sequence of observations. For example, if the 
sender always sends neutral TMs of the same magnitude the adversary learns 
very little (only a bound on the total load), but the sender must accept whatever 
cost is needed to arrive at the neutral TM that is always sent. 

On the other hand, if the sender sends different TMs each period, then what 
the adversary learns can depend on what the sender had to disguise and the 
adversary’s knowledge of that. 

For example, if the sender always has the same actual TM, but disguises it 
differently each time, and the adversary knows this, then that adversary can 
take the intersection of all of the sets of TMs consistent with the observed TMs 
over time to reduce uncertainty over what was actually sent: 

Tact € 0^ =1 T To6s (i), 

where T 0 b s {i ) is the i th observed TM. The entropy (if all TMs are equally prob- 
able) is then 

s = lg( inti Tr ofc .(i)|), 

where Ig is shorthand for log -2 ■ Other adversary information (on sender cost 
budgets or expected traffic pattern properties) may further limit the entropy. 

If the sender always uses the same cost c for each period, and the adversary 
knows this cost, then as stated in section 5.2, the adversary knows that 

Tact € {T £ Tt oI>s \ d(T, T 0 bs) = c}. 


The entropy is then 


S = lg(\{T GT To Jd(T,T obs ) = c}\). 

If the sender has different actual TMs each period, and has a cost distribution 
that is randomly applied (and the adversary knows what it is), then the adversary 
can determine the probability for each T £ Tt^ according to d[T,T 0 b s )- 
Let 

§ c{T 0 bs ) = {T £ T <G , w >\d{T, T obs ) = c} 

be the hypersplrere at distance c from T a b s of feasible traffic matrices for a graph 
G. Let 

PcO^obs) = {T £ T Tobs \d(T,T obs ) = c} = T Tobs flS c (T obs ) 

be the intersection of the hypersphere at distance c from T 0 b s and the TMs from 
which T 0 b s can be R,P- derived, T^. Let 

U = {(c, Pc)} 

be the sender’s probability distribution for costs (i.e. , cost c is incurred with 
probability p c ). Of course this distribution is dependent on how we do our TAP, 
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and should be considered as a dynamic distribution. So 


c— 0 


Then the attacker can infer that 

y prob{T\T obs ,U) =p c , so 

TGP c (Tobs) 


prob(T\T obs ,U ) = ^ for T G P c (T obs ). 10 

If the sender adapts the cost to the actual traffic matrix, but still has an 
amortized cost per period goal that the adversary knows, then it may still be 
possible for the adversary to assign probabilities to the TMs in Tt o!) , based on 
assumptions (or knowledge) of the nature of the distribution of the actual TMs. 


6 Transforms 

This section formally describes the two types of TAP method considered in this 
paper, padding and rerouting. 


6.1 Padding 

If we limit the TAP method to be padding only, then every element of T act is 
pointwise bounded by the corresponding element of T obs : 

T ac t[i,j ] < T obs [i,j } 


In fact, 


T obs 


Tact + P > 


where P is a traffic matrix (i.e., it is non-negative) representing the pad traffic 
added to the true traffic in T act . 


6.2 Rerouting 

If the TAP method is limited to rerouting alone, then the true traffic matrix 
must be a preimage of the apparent traffic matrix under transformation by some 
rerouting quantities. Rerouting effects will be represented by a rerouting differ- 
ence matrix, D r , that describes the change in traffic due to rerouting, so that 

T 0 bs = T act + D r . 

10 There is a little hair here. The probability distribution may have a long tail (i.e., 
large c’s have nonzero p c ’s), but for a particular T oba , there is a maximum possible 
distance for TMs in V c (T obs ). The adversary must normalize the distribution over 
the set of possible costs to account for this. 
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Note that D r may have negative elements. 

For distinct nodes A,B,C £ [1..IV] we define the unit reroute matrix as 
follows. The unit reroute matrix Ua,b,c for rerouting one unit of traffic from A 
to C via B is the NxN matrix consisting of all zeros except that Ua,b,c[A, C\ = 

— 1, representing a unit decrease in the traffic from A to C due to rerouting, and 
Ua,b,c[A, B] = Ua,b,c[B , C ] = 1, representing a unit increase in the traffic from 
A to B and from B to C due to rerouting. 

( 1 iff (i = A A j = B) V (i = B A j = C) 

UA,B,c[i, j] = < -1 iff i = A A j = C 
y 0 otherwise 

The unit reroute matrix Ua,b,c has row and column sums equal to zero for 
all rows and columns except for the intermediate node’s: 

N 

J2 u AB,c[i,j] =0 Vj e [l.JV], j ± B, 

N 

J2 U AB,c[i,j} = 0 Vi G [l.JV], i ± B. 

i= i 

For the intermediate node, B, the row and column sum are each equal to one: 

N 

UA,B,c[i, B } = 1 , 

N 

J2 U Ab,c[B,j}= 0. 

i= i 

The total change in the traffic load due to a unit reroute is thus one. 

Reroute quantities may be represented by a three-dimensional array, r[^4, B , C], 
indicating the number of packets rerouted from source A via intermediate node 
B to destination C. Note that the reroute quantities r[A, A, A], r[A,A, B] and 
r[A, B,B] are all zero, as they represent either self-communication or rerouting 
via either the source or destination node itself. 

From the reroute quantities and the unit reroute matrices, we may compute 
the rerouting difference matrix, D r , which represents the net rerouting effects 
for all rerouting specified by r simultaneously. If k units of traffic are rerouted 
from A to C via B , then a contribution of kUA,B,c is made by these rerouted 
packets to D r . Then the matrix representing the net difference due to rerouting 
is just the elementwise matrix sum of the weighted unit reroute matrices, 

D r = Y. r[A, B, C]U a ,b,c 

A,B,C£[1..N ] 
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Any rerouting difference matrix D r of a non-negative r must have a non- 
negative sum over all its elements (or aggregate traffic load), in fact, 

N N N N N 

= EEE r fc 

i = 1 j=l i=l j = 1 fc— 1 

Since each unit reroute matrix represents a unit increase in the total traffic load, 
it is obvious that the total increase in the aggregate traffic load is equal to the 
total amount of rerouting performed. 

6.3 Discussion 

Both padding and rerouting cause a net increase in the resultant TM. Thus, for 
a TM T to be a preimage of an observed TM, T obs , its total load is bounded 
above by the total load of the observed TM, 

L(T) < L(T obs ) . 

Furthermore, it may be noted that for both transforms, the row and column 
totals either remain the same or increase. Therefore, 

N N 

< £ T 0 bs[i,j] V j G [l.JV], and 

i = 1 i = 1 

N N 

E t m < E T obs [i,j] V i G [l.JV], for any T G T TobB - 
f=i j = i 

An arbitrary N x N matrix whose sum of elements is non-negative may not 
be realizable as a rerouting difference matrix. There may be negative elements in 
the rerouting difference matrix, so the true traffic matrix T act is not constrained 
to be pointwise bounded by T obsi as is the case when only padding was used. 
However, the row and column traffic bounds and the constraints on the rerouting 
difference matrices do limit the set of traffic matrices that could give rise to an 
observed TM. This in turn means that for some TM’s, the conditional probability 
will be zero for a given T obs even if the aggregate traffic bound, or even the row 
and column traffic constraints are satisfied. 

Now the issue is the degree to which the uncertainty that can be created 
by rerouting and padding is adequate to mask the true TM. This is in effect 
represented by the entropy. 

7 Examples 

Consider a simple example - the attacker observes 3 nodes sending 1 message 
to each other, but, of course, not to themselves. She knows nothing about the 
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padding or rerouting policies of these nodes. Let us see what level of anonymity 
this gives us. The observed matrix is: 

0 1 1 \ 

10 1 . 

110 / 



The rows (columns) represent a message leaving (going to) nodes A,B, or C 
respectively. We now try to calculate the set of T obs which could have resulted 
in the above T act after having been subjected to padding or rerouting. 

We start by considering rerouting. There are six possible traffic matrices that 

/0 2 0 \ 

can be rerouted into T obs . Consider X) = 1 0 1 . If we take one message 

v 1 0 °/. . 

that was sent from A to B , and redirect that message via the intermediary node 
C, our new traffic matrix is just T obs . Thus, we see that rerouting can hide the 
true traffic pattern, which is T), by making the traffic pattern look like T obs . In 
fact there are five more traffic matrices which can be disguised to look like T obs 
by using one rerouting of a message. Those traffic matrices are Xj , . . . , Tg 


/0 0 2 
= 10 0 
\ 1 1 0 


Oil 
2 0 0 
0 10 


0 10 
0 0 2 
110 


Oil 
0 0 1 
2 0 0 


0 0 1 
10 1 
0 2 0 


/0 2 0 \ 

Now consider rerouting two messages. Observe the matrix T_ i = 2 0 0 1. 

\0 0 0 / 

If that is the true traffic matrix, then we can disguise this traffic pattern by 
taking one of the messages from B to A, and redirect it through C, this results in 
the above traffic matrix Ti, and as we noted another rerouting at this level will 
result in T obs . But notice that T_j will also result in X 3 after rerouting on one of 
the A to B messages through C. Therefore, we see that this second level inverse 
rerouting result in three unique traffic matrices. At this point we see there are 
6 + 3 = 9 possible traffic matrices that are hidden by T oba . 

We have been concentrating on rerouting. Let us now turn our attention 
to padding. The traffic after the padding has been applied must equal T obs , so 
each link can be padded by at most 1 message. This gives us six entries in the 
matrix with the freedom of one bit for each entry. This results in 2 6 possible 
traffic matrices. Since we count T obs itself as a possible traffic matrix this gives 
us 2 6 — 1 additional traffic matrices. 

So far, we have 1 traffic matrix if we count T obsi another 2 6 — 1 by counting 
possible traffic matrices by padding, 6 by counting rerouting of 1 message, and 
another 3, by counting a prior rerouting. We are not done yet. Consider the six 
traffic matrices T), . . . ,T 6 that results from rerouting of 1 message. Each one of 
these may be the result of padding from a sparser traffic matrix. For example 
consider T 2 and the lower triangular entries that are ones. If the original traffic 
/0 0 2 \ 

matrix was 1 0 0 we can obtain T 2 by two 1-pads. In fact we see that 

\0 0 0 / 
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the entries that “are one” in T 2 give us three degrees of freedom, with one bit 
for each degree of freedom. This results in 2 3 possible traffic matrices that result 
into T 2 after the 1-pads. So as not to count T 2 twice this gives us 2 3 — 1 unique 
traffic matrices. This follows for all six of the one-level rerouting traffic matrices. 
Therefore, we have an additional 6(2 3 — 1) possible traffic matrices to consider. 

So we see that |T To J = 1 + (2 6 - 1) + 6(2 3 - 1) + 6 + 3 = 2 6 + 3(2 4 + l) = 115. 
This hides the actual traffic matrix behind a probabilistic value of 1/115. If T 0 b s 

/0 5 5\ 

was a little more exciting, say it was 5 0 5 , the probability of the actual 

\5 5 0/ 

traffic matrix would be much smaller, but this lower probability comes at the 
cost of excessive reroutes and padding. Therefore, pragmatic choices must be 
made, as is usually the case, when one wishes to obfuscate their true business 
on a network. 


8 Conclusions 

This paper represents a step in the direction of precisely defining the amount 
of success a TAP system has in hiding the nature of the actual traffic matrix 
from a global, passive adversary. Padding and rerouting are considered, with 
observations on the effects each has on the difference between the actual and the 
observed TM. The paper introduces an entropy-based approach to the amount 
of uncertainty the adversary has in determining the actual TM, or alternatively, 
the probability that the actual TM has a property of interest. 

If the sender has no cost constraints, then it may adopt a strategy of trans- 
mitting neutral TMs, providing the adversary with minimal information. If the 
sender does have cost constraints, then it may not be able always to send neutral 
TMs, so it must use other approaches. The goal may be to maintain a certain 
cost distribution and to maximize the adversary’s uncertainty within that bud- 
get, or it may be to achieve a minimum degree of uncertainty in the adversary 
while minimizing the cost of doing so. 
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